New York Presbyterian Hospital and Columbia University recently agreed to pay a combined total of $4.8 million for their failure to secure thousands of patients’ electronic protected health information (“ePHI”) held on a shared network. This fine is the largest ever Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) settlement to date.
Although two separate entities, New York Presbyterian and Columbia University operate under a joint arrangement whereby Columbia faculty serve as attending physicians under the banner of “New York Presbyterian Hospital/Columbia University Medical Center.” The two institutions also share a data network and firewall that both entities maintain. The U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) investigated the matter and determined the breach occurred when a Columbia physician attempted to deactivate a personally owned computer server on the shared network, which contained patient ePHI. In doing so, the ePHI became accessible through the internet, even through search engines.
The OCR investigation began when the entities received a complaint in September 2010 from an individual who found the ePHI of his deceased partner, who had been a patient at New York Presbyterian, on the internet. The exposed ePHI of nearly 7,000 patients included their status, vital signs, medications, and laboratory results. The two institutions submitted a joint breach report on September 27, 2010 detailing the disclosure and notified the affected individuals personally, as well as media outlets. In a joint statement, New York Presbyterian and Columbia University provided that there was no evidence of any inappropriate use of the disclosed information.
In addition to the breach, the OCR determined that New York Presbyterian and Columbia University both lacked sufficient software and security safeguards to prevent such a breach from occurring. Further, neither entity had performed a thorough risk analysis to identify all the systems that have access to ePHI. Thus, they had never developed an adequate risk management plan to address potential confidentiality breaches. New York Presbyterian also had insufficient policies for authorizing access to its databases and failed to comply with its own policies on information access management.
Due to the breach and these deficiencies, New York Presbyterian agreed to pay $3,300,000 in fines and Columbia University agreed to pay $1,500,000. Both entities will conduct a risk analysis, revise their risk management plans and policies, and provide the OCR with updates as to their progress as part of their settlement.
Acting Deputy Director of Health Information Privacy for OCR, Christina Heide, advised that entities who share joint compliance arrangements also “share the burden of addressing the risks to protected health information.” She further provided that this case should warn healthcare institutions about how crucial their data security is when managing information systems.